Well-built course with plenty of takeaways and labs to do independently.

Matt, UPS

ICS515: ICS Active Defense and Incident Response will help you deconstruct ICS cyber attacks, leverage an active defense to identify and counter threats in your ICS, and use incident response procedures to maintain the safety and reliability of operations.

This SANS course on ICS Active Defense and Incident Response will empower students to understand their networked industrial control system environment, monitor it for threats, perform incident response against identified threats, and learn from interactions with the adversary to enhance network security. This process of monitoring, responding to, and learning from threats internal to the network is known as active defense. An active defense is the approach needed to counter advanced adversaries targeting ICS, as has been seen with malware such as Stuxnet, Havex, and BlackEnergy2. Students can expect to come out of this course with the ability to deconstruct targeted ICS attacks and fight these adversaries and others. The course uses a hands-on approach and real-world malware to break down cyber attacks on ICS from start to finish. Students will gain a practical and technical understanding of leveraging active defense concepts such as using threat intelligence, performing network security monitoring, and utilizing malware analysis and incident response to ensure the safety and reliability of operations. The strategy and technical skills presented in this course serve as a basis for ICS organizations looking to show that defense is do-able.

You Will Learn:

How to perform ICS incident response focusing on security operations and prioritizing the safety and reliability of operations.

How ICS threat intelligence is generated and how to use what is available in the community to support ICS environments. The analysis skills you learn will enable you to critically analyze and apply information from ICS threat intelligence reports on a regular basis.

How to identify ICS assets and their network topologies and how to monitor ICS hotspots for abnormalities and threats. Methodologies such as ICS network security monitoring and approaches to reducing the control system threat landscape will be introduced and reinforced.

How to analyze ICS malware and extract the most important information needed to quickly scope the environment and understand the nature of the threat.

How to operate through an attack and gain the information necessary to instruct teams and decision-makers on when operations must shut down, or if it is safe to respond to the threat and continue operations.

How to use multiple security disciplines in conjunction with each other to leverage an active defense and safeguard the ICS, all reinforced with hands-on labs and technical concepts.

Course Syllabus

ICS515.1: Threat Intelligence

Overview

Industrial control system (ICS) security professionals must be able to leverage internal and external threat intelligence to critically analyze threats, extract indicators of compromise (IOCs), and guide security teams to find threats in the environment. Today you will learn how threat intelligence is generated, how to critically analyze reports, and the basic tenets of active defense functions. Students will become better analysts and critical thinkers by learning skills useful in day-to-day operations, regardless of their jobs and roles. This day features four hands-on labs that include building a Programmable Logic Controller (PLC), identifying information available about assets online through Shodan, completing an analysis of competing hypotheses, and ingesting threat intelligence reports to guide their practices over the rest of the labs in the course.

Exercises

CYBATIworks Kit - Build a PLC

ICS Information Attack Surface Mapping with Shodan

ICS Honeypots and Analysis of Competing Hypotheses

Consuming ICS Threat Intelligence

CPE/CMU Credits: 6

Topics

Case Study: Havex

Introduction to ICS Active Defense and Incident Response

Intelligence Life Cycle and Threat Intelligence

ICS Information Attack Surface

External ICS Threat Intelligence

Internal ICS Threat Intelligence

Sharing and Consuming ICS Threat Intelligence

ICS515.2: Asset Identification and Network Security Monitoring

Overview

Understanding the networked environment is the only way to fully defend it: you cannot defend what you do not know. This course section will teach students to use tools such as Wireshark, TCPdump, SGUIL, ELSA, CyberLens, Bro, NetworkMiner, and Snort to map their ICS network, collect data, detect threats, and analyze threats to drive incident response procedures. During this section, students will be introduced to the lab network and an advanced persistent threat (APT) that is present on it. Drawing on threat intelligence from the previous course section, students will have to discover, identify, and analyze the threat using their new active defense skills to guide incident responders to the affected Human Machine Interface (HMI).

Exercises

Asset Discovery and Network Visualization

Collecting the Right Data from ICS Assets

Intrusion Detection Systems

ICS Network Analysis

CPE/CMU Credits: 6

Topics

Case Study: BlackEnergy2

ICS Asset and Network Visibility

Identifying and Reducing the Threat Landscape

ICS Network Security Monitoring - Collection

ICS Network Security Monitoring - Detection

ICS Network Security Monitoring - Analysis

ICS515.3: Incident Response

Overview

The ability to prepare for and perform ICS incident response is vital to the safety and reliability of control systems. ICS incident response is a core concept in an ICS active defense and requires that analysts safely acquire digital evidence while scoping the environment for threats and their impact on operations. ICS incident response is a young field with many challenges, but students in this section will learn effective tactics and tools to collect and preserve forensic-quality data. Students will then use this data to perform timely forensic analysis and create IOCs. In the previous section's labs, APT malware was identified in the network. In this section, the labs will focus on identifying which system is impacted and gathering a sample of the threat that can be analyzed.

Exercises

Acquisition in an Operational Environment

Verification and Event Analysis

Incident Response and Initial Triage

Indicators of Compromise in Action

CPE/CMU Credits: 6

Topics

Case Study: Stuxnet

Incident Response and Digital Forensics Overview

Preparing an ICS Incident Response Team

Evidence Acquisition

Sources of Forensic Data in ICS Networks

Time-Critical Analysis

Maintaining and Restoring Operations

ICS515.4: Threat and Environment Manipulation

Overview

Understanding the threat is key to discovering its capabilities and its potential to affect the ICS. The information extracted from threats through processes such as malware analysis is also critical to being able to make the necessary changes to the environment to reduce the effectiveness of the threat. The information obtained is vital to an ICS active defense, which requires internal data collection to create and share threat intelligence. In this section, students will learn how to analyze initial attack vectors such as spearphishing emails, perform timely malware analysis techniques, analyze memory images, and create Indicators of Compromise in YARA. The previous section's labs identified the infected HMI and gathered a sample of the APT malware. In this section's labs, students will analyze the malware, extract information, and develop YARA rules to complete the active defense model introduced in the class and maintain operations.

Exercises

Analyzing Initial Attack Vectors and Spearphishing Emails

Memory Forensics with Volatility

Timely Malware Analysis and Sandboxes

YARA Development

CPE/CMU Credits: 6

Topics

Case Study: German Steelworks

ICS Threat and Environment Manipulation Goals and Considerations

Establishing a Safe Working Environment

Analyzing Acquired Evidence

Memory Forensics

Malware Analysis Methodologies

Case Study: BlackEnergy2 Automated Analysis

Indicators of Compromise

Environment Manipulation

ICS515.5: Active Defense and Incident Response Challenge

Overview

This section focuses on reinforcing the strategy, methodologies, skillsets, and tools introduced in the first four sections of the course. This entirely hands-on section will present students with two different scenarios. The first involves data collected from an intrusion into SANS Cyber City. The second involves data collected from a Distributed Control System (DCS) infected with malware. This section will truly challenge students to utilize their ICS active defense and incident response skills and test themselves.

Exercises

Scenario One

The first half of the day will introduce packet captures and system images from an intrusion into SANS Cyber City

Students will leverage their active defense skills to identify and respond

Scenario Two

The second half of the day will introduce packet captures and system images from an intrusion into a DCS environment

Students will again leverage their active defense skills to identify and respond to real-world malware and understand the impact on the environment

Additional Information

Testimonials

"Establishing an ICS-IA program is of paramount importance for not only the national lab but for all sectors. We want to model ours after industry expertise, that expertise is found from SANS, and their instructors." - Anonymous, Idaho National Labs

"This course was like a catalyst. It not only boosted my knowledge about the threats facing ICS environments and provided me with a framework to actively defend these threats, it inspired me to learn more." - Srinath Kannan, Accenture

"Clone Rob so SANS can offer this class more frequently." - Mike Smith, Department of Energy

"Very good for any ICS program, security focused or not." - Jeremy Thomas, Idaho National Labs

"Unique coverage of an important topic. Best I've seen so far." - Jonathan D. Abolins, US Department of Defense

"Relevant content my team will need to know." - Sam Blaney, U.S. Army

"Very powerful tools and concepts!" - Randy Wagner, Basin Electric

"It opened up a new perspective, gave me hands-on advice, and I had several 'aha-moments'. A spectacular class." - Dr. Thomas Rid, Kings College London

"This course is the missing piece to get companies to take threats seriously, pursue the truth, and share their findings." - Rob Cantu, DOE

"This course covered quite a bit of topics that showed an attack from start to finish. I liked it because most other classes only show specific steps, not the whole picture." - Anonymous

Laptop Required

NOTE: It is critical that students have administrator access to the operating system and all security software installed. Changes may need to be made to personal firewalls and other host-based software in order for the labs to work.

Ability to disable all security software on your laptop, including antivirus and/or firewalls

At least 100 GB of hard-drive space

At least 8 GB of RAM

Local Administrator Access within the host operating system and BIOS settings

Wireless Ethernet 802.11 B/G/N/AC

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

ICS Incident Response Team Leads and Members who want to learn how to respond to advanced threats safely in the ICS with a focus on combined and continued security

ICS and Operations Technology Security Personnel who want to learn how to leverage an ICS active defense to include network security monitoring and threat intelligence

IT Security Professionals who want to expand their knowledge into the ICS field with an understanding of ICS protocols, threats, and priorities

Security Operations Center (SOC) Team Leads and Analysts who want to learn how to monitor OT networks and ICS assets in an ICS SOC or dual IT/OT SOC

ICS Red Team and Penetration Testers who want to learn the latest in defense tactics to identify how they can better perform, and how they can better highlight areas for improvement in ICS networks

Active Defenders who want to challenge themselves to identify and respond to advanced targeted threats

Prerequisites

Students from either an IT or ICS background will do well in this course. Prior to attending this course, it is recommended that you attend SANS ICS410 or equivalent essential cybersecurity classes such as SEC401, or that you have fundamental cybersecurity experience. Students do not need previous ICS experience but should be comfortable with ICS terminology and systems such as SCADA, DCS, PLCs, and RTUs, and an understanding of distinct risks and mitigation approaches in OT environments.

Create indicators of compromise (IOCs) in OpenIOC and YARA while understanding sharing standards such as STIX and TAXII

Take advantage of models such as the Sliding Scale of Cybersecurity, the Active Cyber Defense Cycle, and the ICS Cyber Kill Chain to extract information from threats and use it to encourage the long-term success of ICS network security

Hands-on Training

Build a Programmable Logic Controller (PLC) using a CYBATIworks Kit

Identify information available about assets online through Shodan

Complete an analysis of competing hypotheses

Ingest threat intelligence reports

Identify and leverage new active defense skills to guide incident responders to the Human Machine Interface (HMI) affected by an advanced persistent threat (APT) on the lab network

Identify which system is affected by APT malware identified in the network and assemble a sample of the threat that can be analyzed.

From the infected HMI and samples of the APT malware identified, analyze the malware, extract information, and develop YARA rules to complete the active defense

Address two different hands-on, real-world scenarios: the first involves data collected from an intrusion into SANS Cyber City, and the second involves data collected from a Distributed Control System (DCS) infected with malware.

Author Statement

This class was developed from my experiences in the U.S. intelligence community and within the control system community dealing with advanced adversaries targeting industrial control systems. It is the class I wish I would have had available to me while protecting infrastructure against these adversaries. It is exactly what you'll need to maintain secure and reliable operations in the face of determined threats. ICS515 will empower you to prove that defense is do-able.